Minor security fixes

SECURITY.md

@@ -97,19 +97,19 @@ Scope is the web application (back office) and the APIs.
 
 ## Non-qualifying vulnerabilities for Bug bounty programs, but qualified for reporting
 * "Self" XSS
-* Missing cookie flags
 * SSL/TLS best practices
 * Denial of Service attacks
 * Clickjacking/UI redressing
-* Physical or social engineering attempts
+* Physical or social engineering attempts or issues that require physical access to a victim’s computer/device
 * Presence of autocomplete attribute on web forms
 * Vulnerabilities affecting outdated browsers or platforms
-* Issues that require physical access to a victim’s computer/device
 * Logout and other instances of low-severity Cross-Site Request Forgery
+* Missing cookie flags
 * Missing security-related HTTP headers which do not lead directly to a vulnerability
 * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
 * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
 * Reports on features flagged as "experimental" or "development"
-* Software version disclosure when logged user is admin
+* Software version or private IP disclosure when logged user is admin
 * Stack traces or path disclosure when logged user is admin
+* Any vulnerabilities due to a configuration different than the one defined into chapter "Scope for qualified vulnerabilities".
 

htdocs/accountancy/index.php

@@ -38,6 +38,7 @@ if ($user->socid > 0)
 // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks
 $hookmanager->initHooks(array('accountancyindex'));
 
+
 /*
  * Actions
  */
@@ -54,6 +55,7 @@ if (GETPOST('addbox'))	// Add box (when submit is done from a form when ajax dis
     if ($result > 0) setEventMessages($langs->trans("BoxAdded"), null);
 }
 
+
 /*
  * View
  */

htdocs/admin/system/filecheck.php

@@ -91,6 +91,7 @@ if (preg_match('/beta|alpha|rc/i', DOL_VERSION) || !empty($conf->global->MAIN_AL
 $enableremotecheck = true;
 
 print '<form name="check" action="'.$_SERVER["PHP_SELF"].'">';
+print '<input type="hidden" name="token" value="'.newToken().'">';
 print $langs->trans("MakeIntegrityAnalysisFrom").':<br>';
 print '<!-- for a local check target=local&xmlshortfile=... -->'."\n";
 if (dol_is_file($xmlfile))

htdocs/core/class/html.formother.class.php

@@ -1048,6 +1048,7 @@ class FormOther
         	// Class Form must have been already loaded
         	$selectboxlist .= '<!-- Form with select box list -->'."\n";
 			$selectboxlist .= '<form id="addbox" name="addbox" method="POST" action="'.$_SERVER["PHP_SELF"].'">';
+			$selectboxlist .= '<input type="hidden" name="token" value="'.newToken().'">';
 			$selectboxlist .= '<input type="hidden" name="addbox" value="addbox">';
 			$selectboxlist .= '<input type="hidden" name="userid" value="'.$user->id.'">';
 			$selectboxlist .= '<input type="hidden" name="areacode" value="'.$areacode.'">';

htdocs/theme/eldy/manifest.json.php

@@ -41,6 +41,8 @@ require_once __DIR__.'/../../main.inc.php';
 $appli = constant('DOL_APPLICATION_TITLE');
 if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli = $conf->global->MAIN_APPLICATION_TITLE;
 
+top_httphead('text/json');
+
 ?>
 {
     "name": "<?php echo $appli; ?>",

htdocs/theme/md/manifest.json.php

@@ -41,6 +41,8 @@ require_once __DIR__.'/../../main.inc.php';
 $appli=constant('DOL_APPLICATION_TITLE');
 if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE;
 
+top_httphead('text/json');
+
 ?>
 {
     "name": "<?php echo $appli; ?>",